Re: Audit problem

From: Ken (k.wong@mail.hongkong.com)
Date: 03/24/03

• Next message: Frank: "verify a certificate"
• Previous message: Phil Margolies: "Re: missing desk top files"
• In reply to: Ondrej Sevecek: "Re: Audit problem"
• Next in thread: Leônidas: "Re: Audit problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Ken" <k.wong@mail.hongkong.com>
Date: Sun, 23 Mar 2003 18:10:53 -0800

Ondra,

Thanks for reply. I already enabled the suditing
setting. I can log many activities but just file and
directories move cannot log.(maybe not only) I guess that
file or directories move within a NTFS partition can
maintain their permission and properties. So, nothing
inherit from parent in order that the security log cannot
log anything.

You can try a simple test. Move a directory inside
another directory which already setting all success and
fail audit options. Then, try to check your security log,
you cannot find anything about the directory move action.

Regards,
Ken

>-----Original Message-----
>Have you enabled auditing in Local Policies\Computer
>Configuration\Security\LocalPolicy\AuditPolicy -
ObjectAccess??
>Start gpedit.msc to gain access to these settings.
>
>Ondra.
>
>
>"Ken" <k.wong@mail.hongkong.com> wrote in message
>news:247c01c2ef8d$db0091b0$a001280a@phx.gbl...
>> Hello all,
>>
>> I enable object access audit setting and apply all audit
>> options in a directory in order that I log all events
>> inside that directory. But, when I move a directory
>> inside that specified audited directory, I cannot find
any
>> records in the security log. I am surprise that I've
>> already enabled all options but it still can't log the
>> move action. Any suggestions? TIA.
>>
>> Ken
>
>
>.
>

---

• Next message: Frank: "verify a certificate"
• Previous message: Phil Margolies: "Re: missing desk top files"
• In reply to: Ondrej Sevecek: "Re: Audit problem"
• Next in thread: Leônidas: "Re: Audit problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Event Viewer Getting Full ... You can increase the size of the security log and by default it is ... audit for only specific files and avoid using the users and everyone group to audit. ... > Event Viewer Getting Full when I enable object access. ... (microsoft.public.win2000.security) Re: Ghost in the Recycle Bin ... Audit account logon events ... Prevent local guests group from accessing application log ... Prevent local guests group from accessing security log ... (microsoft.public.windowsxp.help_and_support) Re: administrator sign on ... I dont' think Windows audits this by default. ... Event log in the Security log, in the Computer Management MMC. ... also audit success of, say, logon events, and probably also system events, ... (microsoft.public.security) Re: Audit the administrator account? ... In a Windows NT domain, the security log of the PDC can be configured to ... "Audit these events" and turn on auditing for "User and Group Management"... ... Event Log for the PDC for event ID 628. ... (microsoft.public.win2000.security) Re: DC Policy: just want to audit files, not set security ... definition to deliver only Audit SACL to some storage ... > to audit everything. ... Just enabling auditing of object access will generate ... > lot of events in the security log. ... (microsoft.public.windows.server.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)